b'REVIEW OF DCA POLICY FOR DETERMINING EXAMINATION\n          FREQUENCY, SCOPE, AND PRIORITY\n\n\n\n                 Audit Report No. 99-013\n                     March 15, 1999\n\n\n\n\n                OFFICE OF AUDITS\n\n          OFFICE OF INSPECTOR GENERAL\n\x0c                         TABLE OF CONTENTS\n\n\nBACKGROUND                                                               2\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                                       2\n\n\nRESULTS OF AUDIT                                                         3\n\nDCA\xe2\x80\x99S POLICY ON RISK MANAGEMENT PRIORITIES PLACES                        4\nFDIC AT A GREATER RISK OF NOT DETECTING INSTANCES OF\nNONCOMPLIANCE\n\nRecommendations                                                          7\n\nDCA\xe2\x80\x99S CURRENT INTERNAL CONTROL RISK RANKING IS                           8\nINCONSISTENT WITH ITS POLICY ON RISK MANAGEMENT\nPRIORITIES\n\nRecommendations                                                         10\n\n\nCORPORATION COMMENTS AND OIG EVALUATION                                 10\n\n\nAPPENDIXES\n     APPENDIX I: Division of Compliance and Consumer Affairs Response   13\n     APPENDIX II: Management Decision Table                             16\n\n\nTABLES\n    TABLE 1: Violations Found In 40 Banks With Compliance Ratings\n             Of \xe2\x80\x9c1\xe2\x80\x9d And \xe2\x80\x9c2\xe2\x80\x9d                                              6\n    TABLE 2: Consumer Protection Laws And Regulations                   11\n    TABLE 3: Common Compliance Violations For 1996 DCA\n             Examinations                                               12\n\x0cFederal Deposit Insurance Corporation                                                         Office of Audits\nWashington, D.C. 20434                                                           Office of Inspector General\n\n\n\n\n   DATE:                        March 15, 1999\n\n   MEMORANDUM TO:               Ronald F. Bieker, Acting Director\n                                Division of Compliance and Consumer Affairs\n\n\n   FROM:                        David H. Loewenstein\n                                Assistant Inspector General\n\n   SUBJECT:                      Review of DCA Policy for Determining Examination Frequency,\n                                 Scope, and Priority\n                                (Audit Report No. 99-013)\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has completed a\n   review of the Division of Compliance and Consumer Affairs (DCA) policy for determining the\n   frequency, scope, and priority of compliance and Community Reinvestment Act (CRA)\n   examinations for FDIC-insured state nonmember institutions.\n\n   On January 26, 1998, DCA issued a new policy entitled \xe2\x80\x9cRisk Management Priorities\xe2\x80\x9d that\n   directly addressed the frequency, scope, and priority of examinations. DCA intended for this\n   policy to improve risk management procedures for conducting examinations within DCA\xe2\x80\x99s\n   existing resources. The policy extends the full-scope examination frequencies for up to 5 years\n   and requires examiners to evaluate compliance with certain laws and regulations using \xe2\x80\x9caggressive\n   scoping procedures\xe2\x80\x9d (eliminating or reducing the review for certain laws and regulations) \xe2\x80\x9cto the\n   greatest extent possible\xe2\x80\x9d to save time during compliance examinations. This policy permits\n   changes to DCA\xe2\x80\x99s examination process that would make it different from the compliance\n   programs at the other federal bank regulatory agencies. Moreover, we are concerned that the\n   extended examination cycle and reduced testing of certain regulations could diminish FDIC\xe2\x80\x99s\n   ability to adequately enforce consumer protections under the law and may give banks and the\n   public the perception that the FDIC has placed a lower priority on conducting these examinations.\n\n   In addition, we are concerned that DCA has redefined its internal control risk assessment and\n   lowered its risk ranking for its compliance reviews. In light of DCA\xe2\x80\x99s 1998 policy to extend\n   examination frequencies and to aggressively scope reviews of bank compliance with consumer\n   protection laws and regulations, the internal control risk assessment should be re-examined.\n\x0cBACKGROUND\n\nThe FDIC is legislatively authorized to enforce compliance with various laws and regulations\nrelated to consumer protections and civil rights with respect to insured state-chartered\nnonmember banks. Table 2 on page 11 contains a listing of the subject laws and regulations.\nInsured state-chartered nonmember banks are banks that are insured by the FDIC, chartered by\nthe state in which they operate, and not members of the Federal Reserve System. In addition to\nensuring compliance with consumer protection laws and regulations, the FDIC is responsible for\nmonitoring the CRA activities of these non-member institutions. Enacted in 1977, the CRA was\nintended to encourage federally-insured depository institutions to lend in low- and moderate-\nincome neighborhoods.\n\nFDIC established DCA as a separate division in 1994 to conduct examinations to determine\ncompliance with consumer protection, civil rights, and fair housing laws and regulations.\nPreviously, the Division of Supervision conducted these reviews as part of the Division\xe2\x80\x99s safety\nand soundness examinations. Noncompliance with consumer protection laws may result in\ncorrective enforcement actions requiring payment of restitution or penalties, or reimbursement to\ncustomers of improperly charged fees or interest. As required by the CRA, DCA also periodically\nevaluates each institution\xe2\x80\x99s record of helping to meet the credit needs of the bank\xe2\x80\x99s entire\ncommunity. Noncompliance with CRA may result in adverse publicity that can impact negatively\non the bank\xe2\x80\x99s ability to continue servicing existing relationships, and to establish new relationships\nand services within the community.\n\nThere are no federally mandated examination frequency requirements for compliance or CRA\nexaminations. In May 1996, the FDIC Operating Committee agreed to a maximum 36-month\nexamination frequency schedule for FDIC-supervised financial institutions with composite ratings\nof \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d for compliance and \xe2\x80\x9cOutstanding\xe2\x80\x9d or \xe2\x80\x9cSatisfactory\xe2\x80\x9d ratings for CRA. Previously,\nthese institutions were evaluated on a 24-month examination cycle. Institutions rated \xe2\x80\x9c3\xe2\x80\x9d for\ncompliance continued to have a 24-month examination cycle. The frequency schedule for\ninstitutions with composite ratings of \xe2\x80\x9c4\xe2\x80\x9d or \xe2\x80\x9c5\xe2\x80\x9d for compliance, and \xe2\x80\x9cNeeds to Improve\xe2\x80\x9d or\n\xe2\x80\x9cSubstantial Noncompliance\xe2\x80\x9d ratings for CRA remained at 12 months.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nWe reviewed the policy for determining examination frequency, scope, and priority in the DCA\nAtlanta Regional Office. The initial objectives of the audit were to determine whether:\n(1) examinations are conducted in compliance with FDIC policies and procedures related to the\nfrequency of examinations, (2) examinations are conducted in a manner that ensures the\nconsistency of the scope of the reviews, (3) and examination priorities are identified and\naddressed in a timely manner. However, the scope of our audit changed during the field work\nphase of our audit due to the January 1998 issuance of a new DCA policy entitled \xe2\x80\x9cRisk\nManagement Priorities\xe2\x80\x9d which directly addressed the frequency, scope, and priority of DCA\nexaminations. The purpose of the change in audit scope was to focus on the risks associated\n\n                                                  2\n\x0cwith the new policy as it relates to extended examination frequencies and methods used to identify\ncompliance risk in FDIC-supervised institutions.\n\nTo accomplish the audit objectives, we reviewed compliance and CRA examinations conducted\nfrom January 1997 through March 1998 on 40 banks ranging in size from $10 million to $1.6\nbillion. Our audit work included reviewing DCA policies and procedures, examination reports\nand workpapers, examination statistics, and internal control management reports. In addition, we\ndiscussed the process for determining examination frequencies,scoping requirements, and off-site\nmonitoring of institutions with various officials in DCA headquarters, officials and examiners in\nthe Atlanta Regional Office, and officials from the Federal Reserve Board (FRB), the Office of the\nComptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS). We also met\nwith the Chairman of the Consumer Compliance Task Force for the Federal Financial Institutions\nExamination Council (FFIEC).\n\nOur fieldwork also included\n\n       \xe2\x80\xa2   comparisons of examination frequencies and scopes under old and new DCA policies;\n\n       \xe2\x80\xa2   reviews of Office of Internal Control Management guidance related to management\n           control plans and internal control reviews;\n\n       \xe2\x80\xa2   reviews of the DCA 1995 \xe2\x80\x93 1998 management control plans;\n\n       \xe2\x80\xa2   a review of the regulations related to the FFIEC and projects currently in process\n           under the Consumer Compliance Task Force; and\n\n       \xe2\x80\xa2   a comparison of DCA\'s compliance and CRA examination programs with the\n           programs of the other federal bank regulatory agencies.\n\nWe obtained examination information from the Compliance Statistical System, DCA\'s automated\nexamination tracking system, but we did not independently test the system, since it was being\nredesigned at the time of our review. The audit was conducted in accordance with generally\naccepted government auditing standards. We conducted the audit fieldwork in DCA Washington\nheadquarters and the Atlanta Regional Office from January 9, 1998 though September 17, 1998.\n\nRESULTS OF AUDIT\n\nIn January 1998, during the course of our audit, DCA revised its policy on examination\nfrequency, scope, and priority. The new policy, which allows for a period of up to five years\nbetween full-scope examinations for an estimated 90 percent of FDIC-supervised banks, extends\nthe FDIC review cycle longer than that of any other federal financial regulatory agency. The\npolicy also directs examiners to use \xe2\x80\x9caggressive scoping procedures\xe2\x80\x9d (eliminating or reducing the\nreview for certain laws and regulations), potentially omitting reviews of certain consumer\nprotection requirements. It is DCA\xe2\x80\x99s opinion that aggressive scoping will reduce examination\n\n                                                3\n\x0chours and improve efficiency. According to the DCA policy, eliminating the hours spent on low-\nrisk regulations will allow the DCA to focus resources and increase the pace of examinations.\n\nIn addition, in 1996 DCA redefined its internal control risk assessment related to meeting\nexamination frequency requirements and detecting noncompliance by banks, and in 1997 DCA\nlowered the associated risk ranking from \xe2\x80\x9cMedium\xe2\x80\x9d to \xe2\x80\x9cLow.\xe2\x80\x9d However, in light of DCA\xe2\x80\x99s 1998\npolicy to extend examination frequencies and to aggressively scope reviews of bank compliance\nwith consumer protection laws and regulations, the internal control risk assessment should be\nreexamined.\n\n\nDCA\xe2\x80\x99S POLICY ON RISK MANAGEMENT PRIORITIES PLACES FDIC AT A\nGREATER RISK OF NOT DETECTING INSTANCES OF NONCOMPLIANCE\n\nFrom 1996 until early 1998, DCA operated under an FDIC policy requiring full-scope\ncompliance examinations to be performed at least once every three years of those banks for\nwhich the FDIC is the primary federal regulator. This policy was consistent with the policies of\nthe other federal bank regulatory agencies. However, in January 1998, DCA issued Policy\nMemorandum 6410.14, \xe2\x80\x9cRisk Management Priorities,\xe2\x80\x9d to improve risk management procedures\nfor conducting examinations within existing resources. Among other things, the new policy\nprovides:\n\n         \xe2\x80\x9cExaminations of institutions rated any combination of \xe2\x80\x9c1\xe2\x80\x9d or \xe2\x80\x9c2\xe2\x80\x9d in Compliance and\n         \xe2\x80\x9cOutstanding\xe2\x80\x9d or \xe2\x80\x9cSatisfactory\xe2\x80\x9d for CRA (regardless of size), may be deferred for up to\n         two years (for a total of five years between examinations) if an on-site Interim Visitation is\n         conducted within the three-year time frame.\xe2\x80\x9d1\n\nThe Risk Management Priorities policy goes on to state that the intent is to ensure an on-site\npresence in all banks at least every three years. However, DCA staffing estimates and work load\nassumptions for 1999 \xe2\x80\x93 2003 (dated July and August 1998, respectively) estimate that there will\nbe a significant number of delinquent examinations, ranging from 699 in 1999 to 395 in 2001.\nFurther, according to the policy, DCA believes that compliance with the new policy may not be\nachieved on a national basis until year-end 2000, and DCA estimates that 90 percent of FDIC-\ninsured banks will be eligible for the two year deferral for the full-scope examinations.\n\nDCA issued the 1998 Risk Management Priorities policy as a temporary measure to address DCA\nexamination delinquencies. The policy specifically states:\n\n\n\n\n1\n  The Interim Visitation program is a narrowly scoped review with limited on-site work. If compliance problems are\ndetected during the Interim Visitation, a full-scope compliance examination can be started. The scope of the review\nfocuses on changes in a bank\xe2\x80\x99s compliance operations; however, there is no requirement that loan files be sampled.\nDCA will not assign ratings to a bank based on an Interim Visitation. DCA estimates that the Interim Visitation will\ntake 40 to 80 hours, depending on the size of the bank. In contrast, as of June 30, 1998, a full-scope examination of a\nbank averaged 177 hours and resulted in a formal rating of bank compliance.\n                                                          4\n\x0c       \xe2\x80\x9cThis policy is intended to ensure we have an on-site presence in all FDIC-supervised financial\n       institutions at least every three years. Since there is currently a significant number of delinquent\n       examinations, this policy is to be applied prospectively and compliance may not be entirely\n       achieved on a national basis until year-end 2000.\xe2\x80\x9d\n\nAccording to DCA officials and the Division of Administration Associate Director for\nManagement Review, there was no FDIC Board presentation and no formal Board vote to extend\nexaminations up to 5 years. However, DCA representatives briefed Board members individually\nto explain the need for and the purpose of the policy to extend examination frequencies.\nAccording to DCA officials, the policy was also presented to the FDIC Operating Committee as a\npart of the DCA core staffing request.\n\nThis policy extends DCA\xe2\x80\x99s examination frequency beyond that of any other federal bank\nregulatory agency. While federal laws and regulations do not contain specific requirements for\ncompliance examination frequency, scope, or priority, the Congress did intend that there be some\ndegree of consistency among federal regulators in their compliance reviews. The FFIEC was\nestablished by the Congress to promote improved and consistent examination and supervision\npolicies and procedures among the five financial institution regulatory agencies. We found that\nother federal bank regulators continue to require compliance examinations at least once every\nthree years of all banks for which they are the primary federal regulator.\n\nIn addition to changing the frequency of full-scope reviews, the DCA policy lists nine consumer\nprotection laws and regulations that \xe2\x80\x9cshould be evaluated using aggressive scoping procedures to\nthe greatest extent possible.\xe2\x80\x9d \xe2\x80\x9cAggressive scoping procedures\xe2\x80\x9d allow examiners to completely\neliminate or significantly reduce efforts for certain laws and regulations when planning their\nreviews, potentially omitting reviews of these consumer protection requirements. The nine laws\nand regulations to be aggressively scoped are as follows:\n\n       \xe2\x80\xa2   Consumer Leasing Act \xe2\x80\x93 FRB Reg M\n       \xe2\x80\xa2   Interest on Deposits \xe2\x80\x93 FRB Regulation Q / 12 CFR Part 329\n       \xe2\x80\xa2   Preservation of Consumer Claims and Defenses \xe2\x80\x93 FTC Rule Part 433\n       \xe2\x80\xa2   Flood Disaster Protection Act\n       \xe2\x80\xa2   Credit Practices Rule \xe2\x80\x93 FRB Regulation AA\n       \xe2\x80\xa2   Right to Financial Privacy Act\n       \xe2\x80\xa2   Expedited Funds Availability Act \xe2\x80\x93 FRB Reg CC\n       \xe2\x80\xa2   Electronic Funds Transfer Act \xe2\x80\x93 FRB Reg E\n       \xe2\x80\xa2   Truth In Savings Act \xe2\x80\x93 FRB Reg DD\n\nThe policy memorandum states that these laws and regulations\n\n       \xe2\x80\x9c\xe2\x80\xa6 are considered to pose the least amount of risk to the financial institution, the general\n       public, and the FDIC. While reviewing for compliance with some of these regulations may not\n       take much time, any time saved during the examination is a positive shift toward maximizing\n       our efficiency. Eliminating the hours spent on many of the low-risk regulations\n\n                                                        5\n\x0c       normally reviewed during an examination will allow us to focus resources on the higher risk\n       areas and should increase the pace of examinations.\xe2\x80\x9d\n\nDCA management officials told us that they did not document the methodology for selecting\nthese nine laws and regulations.\n\nWe found information, some internal to DCA, that is not consistent with DCA\xe2\x80\x99s study of\nviolations. An FDIC Financial Institution Letter (FIL) 87-97 entitled \xe2\x80\x9cConsumer Protection and\nFair Lending Compliance Violations Most Often Cited by FDIC Examiners in 1996\xe2\x80\x9d was issued\nSeptember 2, 1997, four months before the new policy was issued. In this FIL, DCA identified 10\nconsumer laws and regulations as the areas most often cited during the compliance examinations\nof 2,031 institutions conducted in 1996 (see Table 3 on page 12). Four of these laws were\ntargeted for aggressive scoping by DCA in its January 1998 policy: the Electronic Funds Transfer\nAct, the Expedited Funds Availability Act, the Flood Disaster Protection Act, and the Truth in\nSavings Act.\n\nAlso, in the July/August 1998 issue of the American Banker Association (ABA) Bank Compliance\npublication, the ABA presented compliance examination data from the FRB, the OCC, and the\nFDIC and tracked the 11 most common violations found during their examinations. Again, four\nof the nine laws and regulations targeted for aggressive scoping by DCA were identified as\ncommonly cited for violations: the Electronic Funds Transfer Act, the Expedited Funds\nAvailability Act, the Flood Disaster Protection Act, and the Truth in Savings Act.\n\nIn addition, we reviewed the number of violations cited in our sample of 40 banks that were\nexamined in the DCA Atlanta region from January 1997 through March 1998. We found that\neven banks with composite compliance ratings of \xe2\x80\x9c1\xe2\x80\x9d and \xe2\x80\x9c2\xe2\x80\x9d had violations noted on seven of the\nlaws and regulations identified for aggressive scoping. Table 1 below summarizes the results of\nour analysis.\n                                      TABLE 1\n        VIOLATIONS FOUND IN 40 BANKS WITH COMPLIANCE RATINGS OF \xe2\x80\x9c1\xe2\x80\x9d AND \xe2\x80\x9c2\xe2\x80\x9d\n\n                                                                           # OF BANKS    % OF BANKS\n  LAWS / REGULATIONS IDENTIFIED FOR AGGRESSIVE SCOPING                        WITH          WITH\n                                                                           VIOLATIONS    VIOLATIONS\n Expedited Funds Availability Act \xe2\x80\x93 FRB Reg CC                                 21           52%\n Flood Disaster Protection Act                                                 19           47%\n Truth In Savings Act \xe2\x80\x93 FRB Reg DD                                             16           40%\n Interest on Deposits \xe2\x80\x93 FRB Regulation Q / 12 CFR Part 329                     11           27%\n Electronic Funds Transfer Act \xe2\x80\x93 FRB Reg E                                     10           25%\n Credit Practices Rule \xe2\x80\x93 FRB Regulation AA                                     3            7%\n Right to Financial Privacy Act                                                2            5%\n Preservation of Consumer Claims and Defenses \xe2\x80\x93 FTC Rule Part 433              0            0%\n Consumer Leasing Act \xe2\x80\x93 FRB Reg M                                              0            0%\nSource: OIG Analysis of 40 DCA Compliance Examinations\n\n\n\n                                                     6\n\x0cWe believe the longer examination frequency intervals, combined with decreased coverage of\ncertain consumer protections, may not ensure that compliance and CRA concerns will be\nidentified and addressed in a timely manner. Furthermore, by extending examination frequencies,\nthe DCA \xe2\x80\x9cRisk Management Priorities\xe2\x80\x9d policy may leave the FDIC open to adverse public\nexposure by giving banks and the public the perception that the FDIC has placed a lower priority\non conducting compliance and CRA examinations as compared with other regulatory agencies.\n\nAlthough DCA headquarters management told us that the 9 regulations to be aggressively scoped\nhad the fewest number of violations nationwide,we believe the results of our sample of 40 banks,\ncited above, demonstrate a need to evaluate risk separately at each individual bank. Banks\nnationwide operate in very different environments, serve different clients, and offer different\nservices. In our opinion, nationwide results of bank examinations should not be used to scope the\nreview of laws and regulations at each individual bank. In addition, the banking environment is\nchanging rapidly. Although some regulations, such as those related to financial privacy, may not\nhave had many violations reported in the past, we believe there could be more violations in the\nfuture as electronic banking and commerce technology continues to develop. DCA needs to take\na more proactive approach in assessing risk by looking forward, not back, in time. We believe the\nintent of a risk management approach to conducting compliance examinations should allow\nexaminers to evaluate the risk of individual banks and to focus their review and testing based on\nspecific bank risk assessment results.\n\nRecommendations\n\nTo ensure that consumer protection laws and regulations are followed by banks and to confirm\nthe importance the FDIC places on consumer protection requirements, we recommend that the\nActing Director, DCA:\n\n       (1) Conduct an overall risk assessment study, based on current data and evolving trends,\n           to determine the appropriate review cycles and appropriate methods to use when\n           scoping and conducting compliance and CRA examinations.\n\n       (2) Initiate a dialogue with the other federal bank regulatory agencies (possibly through\n           the FFIEC) to determine the adequacy of examination frequency requirements and\n           consistent methods for meeting these requirements.\n\n       (3) Revise Policy Memorandum 6410.14, Risk Management Priorities, by eliminating the\n           direction for examiners to aggressively scope the nine cited consumer protection laws\n           and regulations and instead directing examiners to conduct examinations focusing on\n           individual bank risk assessments.\n\n\n\n                                                  7\n\x0cDCA\'S CURRENT INTERNAL CONTROL RISK RANKING IS INCONSISTENT\nWITH ITS POLICY ON RISK MANAGEMENT PRIORITIES\n\nIn 1996, DCA redefined its internal control risk assessment related to conducting compliance\nexaminations by combining the risk related to meeting examination frequency requirements with\nthe risk related to detecting noncompliance by banks. Prior to the change, both of these risks\nwere ranked as \xe2\x80\x9cMedium.\xe2\x80\x9d During 1997, DCA reduced its internal control risk ranking for\nconducting compliance examinations from \xe2\x80\x9cMedium\xe2\x80\x9d to \xe2\x80\x9cLow.\xe2\x80\x9d However, in light of DCA\xe2\x80\x99s\n1998 policy to extend examination frequencies and to aggressively scope reviews of bank\ncompliance with consumer protection laws and regulations, the internal control risk assessment\nshould be reexamined.\n\nThe Chief Financial Officers Act (CFOA) of 1990 requires government corporations, including\nthe FDIC, to submit annual management reports to the Congress signed by the head of the\nagency. In compliance with the CFOA, each FDIC division and office is responsible for:\nestablishing Accountability Units (AU) linked to business activities/functions, identifying risks,\nestablishing control objectives, and developing risk management control plans to evaluate internal\ncontrol standards. The Internal Control Review (ICR) is the evaluation and verification process\nused to provide reasonable assurance that internal controls, as well as business and administrative\npractices, are working as planned and that risks are effectively managed. Each division and office\nperforms ICRs specific to their organization (commonly referred to as Site Visitation Programs or\nProgram Compliance Reviews).\n\nIn its 1996 through 1998 Management Control Plans, DCA defined its first risk for the\nSupervision and Regulations Branch as \xe2\x80\x9cCompliance examinations not performed in accordance\nwith established frequency schedules may increase the possibility of institutions not complying\nwith all applicable consumer protection and fair lending laws and regulations.\xe2\x80\x9d DCA\xe2\x80\x99s\nManagement Control Plan for 1995 defined two separate risks for this are--one for the detection\nof noncompliance in banks and one for its ability to meet examination frequency requirements. In\nthe 1995 Plan, DCA rated each risk separately and each of these risks was given a \xe2\x80\x9cMedium\xe2\x80\x9d risk\nranking. In 1996, DCA combined these two risk elements into one, as quoted above, and in 1997\nDCA lowered the risk ranking for the combined risk area to a \xe2\x80\x9cLow\xe2\x80\x9d risk.\n\nThe Office of Internal Control Management (OICM) reviews all of the FDIC internal control\nassessments. The OICM Interim Guidance on Internal Control Programs, dated January 1997,\ndirected that: the number of AUs identified by each division or office be reviewed and\nstreamlined, ultimately cutting down on the number that would have to be tracked; and AUs be\nestablished at the highest level that would lend itself to efficient and effective internal control\nreview. The guidance further stated that while individual components of an AU may have varying\nlevels of associated risk, an overall risk ranking at the AU level should provide a meaningful\nassessment of susceptibility of a program or function to the occurrence of waste, loss\nunauthorized use or misappropriations.\n\n\n                                                 8\n\x0cAccording to DCA, the risk areas related to the detection of noncompliance in banks and the\nDCA\xe2\x80\x99s ability to meet examination frequency requirements were combined, in accordance with\nthe OICM guidance, because they were similar and closely aligned. It is OICM\xe2\x80\x99s opinion that,\nalthough it would appear a \xe2\x80\x9cHigh\xe2\x80\x9d risk ranking might be appropriate for the combined DCA risk\narea, the area is being adequately monitored. According to OICM, a risk ranking of \xe2\x80\x9cHigh\xe2\x80\x9d\nwould require an annual review of the internal controls for the associated accountability unit.\nBecause DCA conducts several regional office reviews each year that include reviews of the\ncontrol points included in its Management Control Plan, OICM believes the requirement for\nannual reviews is already satisfied, just as though DCA had assessed this as a \xe2\x80\x9cHigh\xe2\x80\x9d risk area.\nAccording to DCA officials, regional and field office reviews are conducted on two year and three\nyear cycles, respectively, covering four of the eight DCA regional offices per year.\n\nIn light of DCA\xe2\x80\x99s 1998 policy to extend examination frequencies and to aggressively scope\nreviews of bank compliance with consumer protection laws and regulations, the internal control\nrisk assessment should be reexamined. By extending the examination cycle to as much as five\nyears, DCA\xe2\x80\x99s January 1998 policy memorandum actually may increase the risk of not detecting\nnoncompliance. Because the risk ranking dictates the frequency with which controls must be\nassessed by the divisions and offices, lowering the risk ranking over controls to detect\nnoncompliance could result in less scrutiny of the area should DCA decide not to continue with its\nannual regional office reviews.\n\nIn addition, we believe the actual \xe2\x80\x9crisk\xe2\x80\x9d for DCA is, as stated in its 1995 Management Control\nPlan, the risk of not detecting noncompliance with applicable consumer protection and fair lending\nlaws and regulations. We also believe that the risk of not detecting noncompliance in a timely\nmanner is currently higher for the following reasons:\n\n   \xe2\x80\xa2   DCA has permitted the compliance examination cycle to be extended as much as five years\n       between full-scope examinations, longer than that of any other federal bank regulatory\n       agency.\n\n   \xe2\x80\xa2   When full-scope examinations are conducted, DCA procedures require examiners, at a\n       minimum, to review a sample of transactions dating back six months to 2 years; leaving 3\n       years of transactions out of the universe for testing. Therefore, under the revised policy, if\n       an examination is deferred for up to five years between examinations, transactions\n       occurring in the first three years of this period may never be reviewed.\n\n   \xe2\x80\xa2   Supervisors do not regularly review the examination working papers that support\n       examination conclusions. According to DCA, the only regular oversight is performed\n       during the regional office reviews and field office reviews conducted by DCA staff on\n       two-year and three-year cycles, respectively.\n\n\n                                                     9\n\x0cRecommendations\n\nTo more accurately reflect the effect of extending the frequency requirements for full-scope\ncompliance examinations, we recommend that the Acting Director, DCA:\n\n       (4) Revise the DCA Management Control Plan to separately identify and evaluate the risk\n           of: (a) not detecting instances of noncompliance in banks, and (b) not meeting the\n           examination frequency requirements established in DCA policy.\n\n       (5) Re-evaluate the risk areas defined in recommendation 4, and assign higher risk\n           rankings to more accurately reflect the lengthening of review cycles, staff shortages,\n           lack of supervisory reviews of examination workpapers, or any future changes made to\n           the frequency, scope, or priority of compliance examinations.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn March 2, 1999, the Acting Director of DCA provided a written response to the draft report.\nThis response is presented in Appendix I of this report.\n\nIn response to recommendations 1, 2, and 3, the Acting Director, DCA, stated that DCA Policy\nMemorandum 6410.14, entitled \xe2\x80\x9cRisk Management Priorities,\xe2\x80\x9d will be superceded, and\ncompliance examiners will be required to follow the existing guidelines contained in the DCA\nCompliance Examination Manual. The policy was issued as a temporary measure intended to\nprovide regions with a discretionary tool (i.e., Interim Visitation) that could assist them in\ncomplying with the FDIC\xe2\x80\x99s January 1998 goal of having an on-site presence in all institutions over\nthe subsequent 3-year period. The temporary policy has been used only sparingly by the regions,\nand no more than five Interim Visitations were performed in 1998.\n\nThe Acting Director also agreed with recommendation 4, and DCA will separately identify and\nevaluate the risk areas related to the detection of noncompliance in banks and DCA\'s ability to\nmeet examination frequency requirements. For recommendation 5, the Acting Director stated\nthat DCA management determined that the risk assessment for the Supervision and Regulation\nAccountability Unit, which was completed and issued in February 1998, resulted in a low risk\nranking. DCA management reaffirmed the risk ranking level of the Accountability Unit in the\nManagement Control Plan submitted to OICM on February 16, 1999, and will re-evaluate the risk\nranking level in the fourth quarter 1999 for the year 2000 Management Control Plan submission.\n\nThese actions adequately address our audit concerns. In addition, the Corporation\xe2\x80\x99s response to\nthe draft report provided the elements necessary for management decisions on the report\xe2\x80\x99s\nrecommendations. Appendix II presents management\xe2\x80\x99s proposed actions on our\nrecommendations and shows that there is a management decision for each recommendation in this\nreport.\n\n                                                10\n\x0c                           TABLE 2\n\n\nCONSUMER PROTECTION LAWS AND REGULATIONS\n\n\n\n\n       Advertisement of FDIC Membership \xe2\x80\x93 FDIC Part 328\n                   Community Reinvestment Act\n                      Consumer Leasing Act\n            Credit Practices Rule \xe2\x80\x93 FRB Regulation AA\n                   Electronic Funds Transfer Act\n                   Equal Credit Opportunity Act\n                 Expedited Funds Availability Act\n                     Fair Credit Reporting Act\n                 Fair Debt Collection Practices Act\n                         Fair Housing Act\n                   Flood Disaster Protection Act\n                  Home Mortgage Disclosure Act\n             Interest on Deposits \xe2\x80\x93 FRB Regulation Q\n Preservation of Consumer Claims and Defenses \xe2\x80\x93 FTC Rule Part 433\n              Real Estate Settlement Procedures Act\n                   Right to Financial Privacy Act\n                       Truth in Lending Act\n                       Truth in Savings Act\n\n\n\n\nSource: DCA Compliance Examination Manual, dated May 1998\n\n                               11\n\x0c                                          TABLE 3\n\n\n      COMMON COMPLIANCE VIOLATIONS FOR 1996 DCA EXAMINATIONS\n\n\n                                           # OF BANKS WITH             % OF BANKS WITH\nLAWS/ REGULATIONS\n                                            VIOLATIONS (*)               VIOLATIONS\nTruth in Lending Act                              1547                        76\nReal Estate Settlement Procedures Act             1528                        75\nEqual Credit Opportunity Act                      1238                        61\nFair Housing Act                                  1237                        61\nTruth in Savings Act                              1036                        51\nFlood Disaster Protection Act                     953                         47\nExpedited Funds Availability Act                  919                         45\nHome Mortgage Disclosure Act                      662                         33\nFair Credit Reporting Act                         509                         25\nElectronic Funds Transfer Act                     444                         22\n\n\n(*) Total number of banks examined = 2,031\n\nSource: FDIC Financial Institution Letter #87-97, entitled Consumer Protection and Fair\nLending Compliance Violations Most Often Cited by FDIC Examiners in 1996, dated\nSeptember 2, 1997.\n\n\n\n\n                                              12\n\x0c      DIVISION OF COMPLIANCE AND CONSUMER AFFAIRS RESPONSE APPENDIX I\n\n    FDIC\n    Federal Deposit Insurance Corporation\n    Washington, DC 20429                              Division of Compliance and Consumer Affairs\n\n                                                       March 2, 1999\nMEMORANDUM TO:                        David H. Loewenstein\n                                      Assistant Inspector General\n\n\n\n\nFROM:                                 Ronald F. Bieker\n                                      Acting Director\n                                      Division of Compliance and Consumer Affairs\nSUBJECT:                              Response to Draft Report Entitled\n                                      Review of DCA Policy for Determining Examination\n                                      Frequency, Scope, and Priority\nAs requested, this memorandum presents the Division of Compliance and Consumer Affairs\ncomments and recommendations with regard to the above referenced draft report in both hard\ncopy and electronic format.\nRecommendation 1, 2, and 3 in the OIG draft report focuses on the release and\nimplementation of DCA\'s January 1998 Policy Memorandum 6410.14, "Risk Management\nPriorities.\nDCA issued the 1998 "Risk Management Priorities" policy to improve risk management\nprocedures for conducting examinations within existing resources. The intent of the policy was to\nensure that DCA had an on site presence in all FDIC-supervised financial institutions at least\nevery three years.\n\nThe OIG draft report states that by extending the examination frequencies, the DCA "Risk\nManagement Priorities " policy may not ensure that compliance and CRA concerns are identified\nand addressed in a timely manner. Also, the policy may leave the FDIC open to adverse public\nexposure by giving banks and the public the perception that the FDIC has placed a lower priority\non conducting compliance and CRA examinations as compared to the other regulatory agencies.\nFurthermore, the OIG states that DCA should conduct its compliance and CRA examinations by\nevaluating institutional risk on a case-by-case basis.\n\nDCA would like to point out that the "Risk Management Priorities" policy was issued as a\ntemporary measure intended to provide regions with a discretionary tool (i.e., Interim Visitation)\nthat could assist them in complying with the FDIC\xe2\x80\x99s January 1998 goal of having an on-site\npresence in all institutions over the subsequent three-year period. Although temporary\nadjustments to the frequency schedule have been made to help regions manage a large volume of\ndelinquent exams, the official schedule remained in effect for 1998 and will continue to be the\nstandard by which examinations are scheduled and delinquencies are determined.\n                                                  13\n\x0cDCA\'s Response to OIG Draft Report\nReview of DCA Policy for Determining Examination\nFrequency, Scope, and Priority\nPage 2 of 3\nIn fact, the temporary policy has been used only sparingly by the regions and has had no\nsignificant impact on overall compliance with the division\xe2\x80\x99s official examination frequency\nschedule (1-year, 2-year, or 3-year cycle depending on asset size and rating). No more than five\nInterim Visitations were performed in 1998 and as of January 15, 1999, only one bank (pending\nmerger) among 5,947 was more than two years delinquent, based on the official schedule.\nAs reported in the 1998 year-end Annual Performance Plan, DCA started 1,989 examinations as\ncompared to the original projection of 1,610 examinations in the 1998 Core Staffing submission,\ncompleted in the fourth quarter 1997. In 1999, DCA projects starting 2,315 examination. The\nnumber of these examination starts not only results in DCA adhering to its official examination\nfrequency schedule, but also indicates that DCA will significantly reduce the number of\nexamination delinquencies.\nDCA has compared its exam frequency schedule with the OTS, FRB, and OCC and determined\nthat the official examination schedule is fully consistent with the other supervisory agencies.\nFDIC has and will continue to maintain an in-depth dialogue with other federal agencies. In fact,\nDCA currently chairs the FFIEC Consumer Compliance Task Force Examination Subcommittee,\nwhich specifically addresses, consistency of all examination-related activity among the supervisory\nagencies, including examination frequency requirements and the application of a consistent\nmethodology.\nFinally, DCA fully agrees with the OIG regarding the appropriateness of evaluating institutional\nrisk on a case-by-case basis and is committed to managing the compliance examination program in\naccordance with that philosophy. In fact DCA\'s compliance examination policies and procedures\nmanual clearly states that the examiner should conduct the appropriate risk evaluation on each\nexamination.\nTo ensure that DCA remains focused on adhering to the official examination frequency schedule\nas well as applying the appropriate risk management procedures as presented in the Compliance\nManual, DCA will issue a Memorandum to all staff superceding the January 1998 Policy\nMemorandum 6410.14, "Risk Management Priorities".\nDCA anticipates completing this action, and providing a copy of the Memorandum to the OIG no\nlater than March 31, 1999.\n Recommendation 4 of the draft audit report suggest that DCA\'s Management Control\nPlan separately identify and evaluate the risk of: (a) not detecting instances of\nnoncompliance in banks, and (b) not meeting the examination frequency requirements\nestablished in the DCA policy.\nAs presented in the OIG report, in 1997 DCA combined the risk areas related to the detection of\nnoncompliance in banks and DCA\'s ability to meet examination frequency requirements because\nthey were so closely aligned. This was a management decision to streamline the risk reporting in\n                                              14\n\x0cDCA\'s Response to OIG Draft Report\nReview of DCA Policy for Determining Examination\nFrequency, Scope, and Priority\nPage 3 of 3\n\nthe MCP as requested by the OICM. Although the risks were combined, the testing associated\nwith those separate risks was maintained in both the Regional and Field Office ICRs.\n\nDCA has no problem with separating out the currently combined risks. We will submit the\nchange to OICM for consideration.\n\nDCA anticipates completing this action and providing a copy of the Management Control Plan to\nthe OIG no later than March 31, 1999.\n\n\nRecommendation 5 of the draft report suggest that DCA reevaluate the Supervision and\nRegulation Accountability Unit risk ranking to more accurately reflect the lengthening of\nthe review cycles or any other future changes made to the frequency, scope, or priority of\ncompliance examinations.\n\nDCA management determined that the Supervision and Regulation Accountability Unit, which\nwas completed and issued in February 1998, would have a low risk ranking. DCA management\nreaffirmed the risk ranking level of the Accountability Unit in the Management Control Plan\nsubmitted to OICM on February 16, 1999.\n\nAs discussed under our response to recommendation 1, 2, and 3, DCA has not incurred an\nadditional lengthening of examinations. In fact, DCA has maintained the official examination\nfrequency schedule and continues to reduce the number of delinquencies. Also, the FDIC\nsupervised financial institutions were, and remain today, very healthy. Not only were the financial\ninstitutions very strong, but they were very much in compliance with Consumer Protection and\nCRA Laws and Regulations. The percentage of FDIC supervised institutions with Compliance\nand a CRA examination rating of 1 or 2 was 95% and 99%, respectively.\n\nIn conjunction with separating out the risks identified in recommendation 4 noted above, DCA\nwill evaluate the risk ranking level in the fourth quarter 1999 for the year 2000 Management\nControl Plan submission. Upon completion and OICM approval, we will provide a copy of the\nManagement Control Plan to the OIG.\n\n\nIf you have any questions please, contact Melissa D\'Onofrio, Associate Director for Operations at\n202-942-3223.\n\n\n\n\n                                                15\n\x0c                                                                                                                                                 APPENDIX II\n                                                 MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its semiannual reports to\nthe Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several conditions are necessary. First, the\nresponse must describe for each recommendation\n\n    \xc2\xa7   the specific corrective actions already taken, if applicable;\n    \xc2\xa7   corrective actions to be taken together with the expected completion dates for their implementation; and\n    \xc2\xa7   documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any disagreement.\n In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation confirming\ncompletion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The information for\nmanagement decisions is based on management\xe2\x80\x99s written response to our report.\n\n\n\n\n                                                                                 16\n\x0c                                                                                                       Documentation That                       Management\n Rec.                                                                             Expected                                          Monetary\n                  Corrective Action: Taken or Planned/Status                                           Will Confirm Final                      Decision: Yes or\nNumber                                                                          Completion Date                                     Benefits\n                                                                                                             Action                                   No\n\n\n         DCA will supercede Policy Memorandum 6410.14,                                               Copy of the memorandum\n         entitled \xe2\x80\x9cRisk Management Priorities,\xe2\x80\x9d and require                                          to all staff superceding the\n                                                                                                     January 1998 Policy\n  1      compliance examiners to follow the existing                             March 31, 1999                                       NA            YES\n                                                                                                     Memorandum 6410.14,\n         guidelines contained in the DCA Compliance                                                  "Risk Management\n                                                                                                     Priorities.\xe2\x80\x9d\n         Examination Manual.\n                                                                                                     Copy of the memorandum\n         DCA will supercede Policy Memorandum 6410.14, entitled \xe2\x80\x9cRisk                                to all staff superceding the\n         Management Priorities,\xe2\x80\x9d and require compliance examiners to                                 January 1998 Policy                            YES\n  2                                                                              March 31, 1999                                       NA\n         follow the existing guidelines contained in the DCA Compliance                              Memorandum 6410.14,\n         Examination Manual.                                                                         "Risk Management\n                                                                                                     Priorities.\xe2\x80\x9d\n                                                                                                     Copy of the memorandum\n         DCA will supercede Policy Memorandum 6410.14, entitled \xe2\x80\x9cRisk                                to all staff superceding the\n         Management Priorities,\xe2\x80\x9d and require compliance examiners to                                 January 1998 Policy\n  3                                                                              March 31, 1999                                       NA            YES\n         follow the existing guidelines contained in the DCA Compliance                              Memorandum 6410.14,\n         Examination Manual.                                                                         "Risk Management\n                                                                                                     Priorities.\xe2\x80\x9d\n                                                                                                     Copy of the revised 1999\n         DCA will separately identify and evaluate the risk areas related to                         DCA Management Control\n  4      the detection of noncompliance in banks and DCA\'s ability to            March 31, 1999      Plan submitted to Office of      NA            YES\n         meet examination frequency requirements.                                                    Internal Control\n                                                                                                     Management.\n\n\n         DCA will re-evaluate the risk ranking level for the\n                                                                                                     Copy of the DCA Year\n  5      DCA supervision and regulation accountability unit                    Fourth Quarter 1999   2000 Management Control          NA            YES\n         in the fourth quarter 1999 for the year 2000                                                Plan.\n         Management Control Plan submission.\n\n\n\n\n                                                                                       17\n\x0c'